The Trivy Jenkins plugin doesn’t just scan your code; it actively prevents vulnerable artifacts from ever reaching production by integrating directly into your CI/CD workflow.
Let’s see Trivy in action. Imagine you have a Dockerfile for a simple web application. In your Jenkinsfile, you can add a Trivy scan step like this:
pipeline {
agent any
stages {
stage('Build') {
steps {
script {
// Build your Docker image
sh 'docker build -t my-web-app:latest .'
}
}
}
stage('Security Scan') {
steps {
trivyScan(
artifact: 'my-web-app:latest',
severity: 'CRITICAL,HIGH',
format: 'json',
outputFile: 'trivy-results.json'
)
}
}
stage('Deploy') {
when {
// Only deploy if the security scan passed (no CRITICAL or HIGH vulnerabilities)
expression {fileExists('trivy-results.json') && readFile('trivy-results.json').contains('"Vulnerabilities":[]')}
}
steps {
echo 'Deploying application...'
// Your deployment steps here
}
}
}
}
Here, trivyScan is the core step. We tell it to scan the my-web-app:latest Docker image, focusing on CRITICAL and HIGH severity vulnerabilities. The results are saved as trivy-results.json. The subsequent Deploy stage uses a when condition to check if the trivy-results.json file exists and, crucially, if it contains an empty Vulnerabilities array, meaning no critical or high issues were found. If vulnerabilities are present, the pipeline will stop before deployment.
The real power of the Trivy Jenkins plugin lies in its ability to act as a gatekeeper. Instead of relying on separate, manual security checks, you embed security directly into the automated process. This means every build can be checked for vulnerabilities in its dependencies, operating system packages, and IaC configurations. Trivy supports scanning container images, Git repositories, and file systems, making it versatile for different stages of your development lifecycle.
Internally, the plugin leverages the Trivy CLI. When you configure a trivyScan step, the Jenkins plugin constructs the appropriate trivy command with your specified arguments (like target, severity, format) and executes it within the Jenkins agent’s environment. It then parses the output (often JSON for programmatic use) and can use this information to fail the build, publish reports, or trigger other actions.
The primary problem this solves is the disconnect between development speed and security. Developers often prioritize getting features out quickly, leaving security as an afterthought. Trivy, integrated into Jenkins, shifts security left, making it an inherent part of the build and deployment process. It democratizes security by providing actionable insights directly to the development team within their familiar CI/CD tool.
The exact levers you control are primarily within the trivyScan step:
artifact: The target to scan (e.g.,image-name:tag,/path/to/repo,/path/to/filesystem).severity: A comma-separated list of severities to fail on (e.g.,CRITICAL,HIGH,LOW,MEDIUM,HIGH).skip-files: A comma-separated list of paths to skip during scanning.skip-dirs: A comma-separated list of directories to skip.format: The output format (e.g.,json,template,table).jsonis common for pipeline logic.outputFile: Where to save the scan results.ignoreUnfixed: Whether to ignore vulnerabilities that have no fix available.
A common point of confusion is how to interpret the results for pipeline logic. While you can use readFile and string searching as shown in the Deploy stage example, for more robust logic, you’d typically parse the outputFile (if format: 'json') using Groovy’s JSON parsing capabilities within a script block to check specific vulnerability counts or CVEs.
The next concept you’ll likely explore is configuring Trivy to scan more than just container images, such as IaC files (Terraform, CloudFormation) or application dependencies directly.